New research shows that Google Home and Chromecast devices are currently leaking detailed location information. Google is expected to fix the leak “in the coming weeks,” according to a report.
The report comes from KrebsOnSecurity, and the issue — an authentication weakness — was discovered by security researcher Chris Young of Tripwire. Young told Krebs “the attack works by asking the Google device for a list of nearby wireless networks and then sending that list to Google’s geolocation lookup services.”
In most cases involving IP location data, this might not be such a huge issue. But Google’s geolocation data is quite precise, as “Google can very often determine a user’s location to within a few feet.” Google’s system is even more effective in densely populated areas.
“An attacker can be completely remote as long as they can get the victim to open a link while connected to the same Wi-Fi or wired network as a Google Chromecast or Home device,” Young told KrebsOnSecurity.
The issue also provides an opportunity for scammers, who could use the bug to “make phishing and extortion attacks appear more realistic.” Hopefully, Google will issue its fix before any major damage is done.
This recent issue with Google’s devices won’t do much to dispel notions that the Internet of Things is notoriously hard to secure. This occurs not long after an Amazon Alexa device recorded a private conversation and sent it off to someone else. (Amazon had an explanation for that particular issue, but we’re wondering if the company’s answer was good enough for Echo users.)
If you are still considering buying a smart speaker — or considering switching to another platform — check out our recent series comparing Apple’s HomeKit, Amazon’s Alexa, and Google Home. Part 3 of our three-part series details security differences between the three big platforms.